<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to extract query from MySQL Slow Query logs? in Splunk Search</title>
    <link>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125303#M33859</link>
    <description>&lt;P&gt;Unfortunately this won't really work for me as all queries don't start with Select, insert, update and so on.  I could put all options there but there could always be new ones in the log that I was not aware of. &lt;/P&gt;

&lt;P&gt;What I need is to be able to capture anything after "SET timestamp=1410815181;"  With the understanding that the value for timestamp will always change.&lt;/P&gt;</description>
    <pubDate>Tue, 16 Sep 2014 14:21:04 GMT</pubDate>
    <dc:creator>brandonpal</dc:creator>
    <dc:date>2014-09-16T14:21:04Z</dc:date>
    <item>
      <title>How to extract query from MySQL Slow Query logs?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125301#M33857</link>
      <description>&lt;P&gt;I've setup a source type and am currently ingesting our MySQL slow query logs.&lt;/P&gt;

&lt;P&gt;To get Splunk to recognize new entries properly I've added the following to my props.conf found at &lt;A href="http://answers.splunk.com/answers/13109/mysql-slow-query-log-parsing.html"&gt;http://answers.splunk.com/answers/13109/mysql-slow-query-log-parsing.html&lt;/A&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; [mysqlslow]
 # Use LINE_BREAKER to segment events.  An event may start with either "Time:"" or "User@Host:".
 # Look for a semicolon (termination of previous event) followed by one of those items.
 # However, the very first entry won't have a ";" before it. Instead it is preceeded by "Argument".
 LINE_BREAKER = (?:;|Argument)(\n)(?:\# Time: |\# User@Host: )
 SHOULD_LINEMERGE = false
 TRUNCATE = 0
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Now I need to have a field extraction for the query itself.  The above mentioned page recommends&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; EXTRACT-mysqlslow-query-line = \n(?&amp;lt;query&amp;gt;[^#].*)$
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;So that's not working at all for me.  Splunk seems to be ignoring it completely. &lt;/P&gt;

&lt;P&gt;Below is an example of what the log looks like.  I need to abstract everything after the  SET timestamp=1410815181;&lt;/P&gt;

&lt;P&gt;Any help would be greatly appreciated.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;# User@Host: db_probe[db_probe] @  [x.x.x.x]
# Query_time: 2.055869  Lock_time: 0.000081 Rows_sent: 6  Rows_examined: 2933112
SET timestamp=1410815181;
SELECT run_code, oid_job_log, log_path_file
FROM rcodb.job_log job
WHERE
       server = 'xxxxx'
       AND update_timestamp &amp;gt; now() - INTERVAL 30 MINUTE
       ORDER BY run_code;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Mon, 15 Sep 2014 21:09:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125301#M33857</guid>
      <dc:creator>brandonpal</dc:creator>
      <dc:date>2014-09-15T21:09:38Z</dc:date>
    </item>
    <item>
      <title>Re: How to extract query from MySQL Slow Query logs?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125302#M33858</link>
      <description>&lt;P&gt;Try this in your transforms.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[sql-log-times]
REGEX = Query_time:\s(\d+.\d+)\s+Lock_time:\s(\d+.\d+)\s+Rows_sent:\s(\d+)\s+Rows_examined:\s(\d+)
FORMAT = query_time::$1 lock_time::$2 rows_sent::$3 rows_examined::$4


[sql-queries]
REGEX = ((SELECT|INSERT|UPDATE)(?s).+?;)
FORMAT = sql_query::$1
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Mention these two stanzas in the corresponding props.conf entry.&lt;/P&gt;</description>
      <pubDate>Mon, 15 Sep 2014 22:14:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125302#M33858</guid>
      <dc:creator>sk314</dc:creator>
      <dc:date>2014-09-15T22:14:37Z</dc:date>
    </item>
    <item>
      <title>Re: How to extract query from MySQL Slow Query logs?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125303#M33859</link>
      <description>&lt;P&gt;Unfortunately this won't really work for me as all queries don't start with Select, insert, update and so on.  I could put all options there but there could always be new ones in the log that I was not aware of. &lt;/P&gt;

&lt;P&gt;What I need is to be able to capture anything after "SET timestamp=1410815181;"  With the understanding that the value for timestamp will always change.&lt;/P&gt;</description>
      <pubDate>Tue, 16 Sep 2014 14:21:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125303#M33859</guid>
      <dc:creator>brandonpal</dc:creator>
      <dc:date>2014-09-16T14:21:04Z</dc:date>
    </item>
    <item>
      <title>Re: How to extract query from MySQL Slow Query logs?</title>
      <link>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125304#M33860</link>
      <description>&lt;P&gt;In that case, you can replace that with REGEX = SET timestamp=\d+;((?s).+?;)&lt;BR /&gt;
FORMAT = sql_query::$1&lt;/P&gt;

&lt;P&gt;(if SET timestamp line and SQL Query are not in the same line, please include a '\n' at the end of the timestamp statement in the regex)&lt;/P&gt;</description>
      <pubDate>Tue, 16 Sep 2014 16:02:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/How-to-extract-query-from-MySQL-Slow-Query-logs/m-p/125304#M33860</guid>
      <dc:creator>sk314</dc:creator>
      <dc:date>2014-09-16T16:02:12Z</dc:date>
    </item>
  </channel>
</rss>

